Vulnerability Reporting & Notification Policy

AvePoint has a standard policy for receiving reports related to potential security vulnerabilities in its products and services, and a standard practice with regards to informing customers of verified vulnerabilities and remediation guidance.

When to Contact

Contact the AvePoint Product Security Incident Response Team by sending an email to security@avepoint.com in the following situations:

- You have identified a potential security vulnerability with one of our products.- You have identified a potential security vulnerability with one of our services.

After your incident report is received, the appropriate personnel will contact you to follow up.

AvePoint Product Security Incident Response Process

AvePoint follows a multi-step process when responding to vulnerabilities and notifying our customers.

1. Vulnerability Report Received

AvePoint attempts to acknowledge receipt of all submitted reports within seven days. In some instances, acknowledgement of receipt may be delayed due to company or national holidays. In those cases, AvePoint will make every attempt to respond within the seven-day window upon the resumption of normal business activities.

2. Verification

Once a finder has initiated contact with AvePoint regarding a potential vulnerability, AvePoint will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, AvePoint may or may not choose to engage with the disclosing parties. If AvePoint determines that the finder has not provided enough information, AvePoint may contact the finder to request additional details. In all cases, AvePoint attempts to respond to all properly formatted vulnerability reports within seven days of receipt.

Once a finder has initiated contact with AvePoint regarding a potential vulnerability, AvePoint PSIRT engineers will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, AvePoint may or may not choose to engage with the disclosing parties. In the event that AvePoint determines that the finder has not provided enough information, AvePoint may contact the finder to request additional details. In all cases, AvePoint attempts to respond to all properly formatted vulnerability reports within 7 days of receipt.

3. Resolution Development

When determining the best resolution, AvePoint will attempt to balance the need to create a resolution quickly with the testing required to ensure the resolution does not negatively impact affected users due to quality issues. In making this determination, AvePoint will consider factors such as whether a vulnerability poses a high risk of exploitation of affected users, either because it is simple to exploit, or because the issue is already being actively exploited.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

4. Notification

Without exception, AvePoint makes every effort to disclose the minimum amount of information required for a customer to assess the impact of a vulnerability in their environment as well as any steps required to mitigate the threat. AvePoint does not intend to provide any details that could enable a malicious actor to develop an exploit. In no case will AvePoint disclose a vulnerability until a patch has been developed or a set of mitigating controls have been verified to significantly reduce the threat.

AvePoint security publications are posted to its support page and sent to the customer-security-announcement@AvePoint.com email alias.

At its discretion, AvePoint gives credit to external vulnerability discoverer(s) only if:

- They desire to be identified as a discoverer and have provided explicit consent to divulge their identity.- They gave AvePoint the opportunity to remediate and notify our customer base prior to making the vulnerability public.

Organizations, teams, individuals, or any combination thereof may be identified as discoverers. It is the responsibility of each discoverer to obtain any necessary permission from its employer to be identified by AvePoint.

5. Post-Resolution Support

Updates to the vulnerability resolution may be required after AvePoint has released a security publication, associated software patches, or software updates. If an update is required, AvePoint will update security resolutions as appropriate, until further updates are no longer relevant.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

Updates to the vulnerability resolution may be required after AvePoint has released a security publication, associated software patches or software updates. If an update is required, AvePoint will update security resolutions as appropriate, until further updates are no longer relevant.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

Scoring, Prioritizing, and Responding.

AvePoint uses the following Common Vulnerability Scoring System (CVSS) guidelines during the evaluation of reported vulnerabilities and when determining how and when vulnerability will be disclosed:

- Security Response – address issues that require a response to information discussed in a public forum, such as a blog or discussion list; security responses are normally published if a third party makes a public statement about an AvePoint product vulnerability

NOTICES AND COPYRIGHT INFORMATION

Notice

The materials contained in this publication are owned or provided by AvePoint, Inc. and are the property of AvePoint or its licensors, and are protected by copyright, trademark and other intellectual property laws. No trademark or copyright notice in this publication may be removed or altered in any way.

Trademarks

AvePoint®, DocAve®, the AvePoint logo, and the AvePoint Pyramid logo are registered trademarks of AvePoint, Inc. with the United States Patent and Trademark Office. These registered trademarks, along with all other trademarks of AvePoint used in this publication are the exclusive property of AvePoint and may not be used without prior written consent.

All other trademarks contained in this publication are the property of their respective owners and may not be used without such party’s consent.

Changes

The material in this publication is for information purposes only and is subject to change without notice. While reasonable efforts have been made in the preparation of this publication to ensure its accuracy, AvePoint makes no representation or warranty, expressed or implied, as to its completeness, accuracy, or suitability, and assumes no liability resulting from errors or omissions in this publication or from the use of the information contained herein. AvePoint reserves the right to make changes in the Graphical User Interface of the AvePoint software without reservation and without notification to its users.